Hello, I have some follow-up questions to Chris' response below (in blue).
On Wed, May 20, 2015 at 5:53 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Yuval, > > On 5/20/15 9:34 AM, Yuval Schwartz wrote: > > I believe I am running tomcat 8.0 (although when I call the > > getServerInfo() method of the implicit ServletContext Object It > > tells me that I am running on 7.54) > > Then you are not running Tomcat 8.0.x. > > > I configured my realm element in my context.xml file as follows > > (based on the howto guide: > > https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html): > > If you are running Tomcat 7, the Tomcat 8 users guide may give you bad > guidance. If you are intending to run Tomcat 8, you might want to get > that fixed, first. > You are correct, I was running Tomcat 7, which doesn't use the same syntax for digesting from the command prompt (I think it doesn't have the options for salt, iterations, etc.). So I updated to tomcat 8. > > > <Realm className="org.apache.catalina.realm.DataSourceRealm" > > debug="99" > > The "debug" attribute hasn't been supported for something like 10 years. > > > dataSourceName="jdbc/board" localDataSource="true" > > userTable="test_user" userNameCol="Email" > > userCredCol="HashedPassword" userRoleTable="test_user_role" > > roleNameCol="Role"> > > > > <CredentialHandler className="MessageDigestCredentialHandler" > > algorithm="SHA-1" iterations="1000" saltLength="48"/> > > Oh, good: someone is using the CredentialHandler to improve their > security. You might want to: > > 1. Switch to a larger hash, like SHA-256 > 2. Find out how much time it takes to do 1000 SHA-1 (or SHA-256) > hashes on your server. You want the hashing to take more than a > trivial amount of time. Our services currently use more than 10k > iterations of SHA-256. This makes brute-forcing our password database > very time consuming for an attacker, if they were to capture the > database itself. > > > </Realm> > > > > > > However, despite the password being stored in the format described > > in your "how to" manual (ie:{salt}${iterations}${password}), > > authentication fails. I assume that this is because something in my > > <Realm> configuration is wrong. > > Tomcat can generate a hash for you from the command-line: > > $ ./bin/digest.sh -a SHA-256 -i 1000 -s 48 'test' > test:04d9deb5f6f1f206c7139a28806e7ebde8f444018e0191168f8d00291d6e8719cd2 > 5cc82eca073f9a925c005aadf238b$1000$22cb9257949205ffbff01088b46137cf768dc > 67a0faca26f48269ca9250d4d9b > > Let's take-apart that credential to see what's in there: > > hash: > Don't you mean "salt" above, instead of "hash:"? > 04d9deb5 f6f1f206 > c7139a28 806e7ebd > e8f44401 8e019116 > 8f8d0029 1d6e8719 > cd25cc82 eca073f9 > a925c005 aadf238b > > That's 48 bytes (96 characters) of data. > > iteration count: 1000 (easy) > > fingerprint: > 22cb9257 949205ff > bff01088 b46137cf > 768dc67a 0faca26f > 48269ca9 250d4d9b > > That's 32 bytes (64 characters) of data. SHA-1 produces 32-byte > I think you mean "SHA-256" here, right? > output, so this looks good on the face of it. > Yes, it looks correct. My issue is that I would like to run this "digest" from a servlet. How would I do that? I need to run it from a servlet because I need to enter it into my database (in the format {salt}${iterations}${passowrd}). > > > I was not able to find an answer on online help forums. I also > > couldn't find a way to call the initialized DataSourceRealm > > Object's digest method when inputting the HashedPassword (ie: I had > > to calculate salt and hash on my own using the SHA-1 algorithm). > > Perhaps this also has something to do with why authentication is > > failing? > > You probably weren't following the algorithm the same way. For > example, the 1000 iterations is done like this: > > cred = password > do 1000 times: > cred = hash ( salt + cred ) > > You probably forgot to salt the credential for each of the iterations. > Should I even be doing it this way? This relates to my previous comment: Is there no way to call the same digest function that we ran from the command line, in a servlet? Indeed there is a digest method as part of the RealmBase API, I just don't know how to get an instance of the RealmBase Object from the servlet. > > Take a look at the RealmBase class to see how the stored credential > should be generated initially. > > I looked at the RealmBase class: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/RealmBase.html I couldn't find where it mentions how to initially generate the stored credential. Could you give me a little more direction as to where I should look? Thanks a lot again. > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVXJ/UAAoJEBzwKT+lPKRYHZUQAKWVQoUhMr1QhBLBPmypX6By > vQob26NzVU5h9C14CdiTuTJS1uc664yvgZHGkW3xfIKGlRmH0Kez/fuwO7ral1LX > 4NWtkX1x2sRVTXZ5ZrEIcM9ofXrELqHCQmS3Jq7Y2VaXvAEvSNvsuY5kSh6+T8/w > xEGyd509BU/QssidcQHGSjupxzlwbDngaWps2M4MW5JHfYBGzylNVw4tBpLwBEWm > halR3EdHnIc/ReDCzelS9wH96onOAgMsnioh0ib/sC//5KVM6Mo1wh5IdTmQTcTp > YF2Wj8QVMj8xaOrGMBqnEoimtY069QEJvaVeltmb0qle/ixKs7qbnrFUcR8Gpju3 > ytf1JEUSi29Pw+ct5GL7HPN66P1Y0OfevFLlcB4UUALfceaKrI41/yQBpr8fp7U6 > tMQ6fp6k11z92e2+MVgYosi2czpsRwJJO91GY85Ai2YlB8fLbQ9j3dv4Qzh1rl5m > pF9B6G1zYLkXSEXk4ugEmHptTvDibPD9BSChnttZPUsLJN2oZfGBjZ2yEeKNpk4P > 4xim6CiSfVFT6YNnKYmClzDOk4V+Lpo5uTLSHsd/GdueiSOoQXJmgRpoV7/uacWq > J1QSUsyneNPVdrLosfTiidpgYCtTOKZSZ8OEdCiZV09m0JNnRcEoje3nNGYXlUg3 > 1EyyDLzlNZyDqRTYl+gJ > =N8j2 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
